2
7
Fork
You've already forked feps
0

FEP-9f9f: Collections #20

Open
opened 2026年04月04日 12:41:18 +02:00 by mariusor · 3 comments

I have a couple of clarifications regarding what GoActivityPub does, that might be useful for this FEP:

On "Updating collections"

I think it's worth clarifying that Add, Remove, Move refer to operations on the items/orderedItems property of the collection.

Perhaps also clarifying IF these operations should update the updated property of the collection, which I think they should.

Additionally I think that clarifying that the other properties of the collection can/should be modified through Update activities using the normal ActivityPub flow.

On Pagination

I think it's worth adding the standard term used for "cursor pagination" in the technical literature, which to the best of my knowledge is "keyset pagination".

On Access control

This section can be expanded a little, I'm not sure there's any FEP's that proposes this idea already, but it can be generally applied to all local objects a service exposes.

The "SHOULD be filtered based on the permissions of a user" is pretty vague, so I'd clarify that the "user" is reconstituted based on whichever authorization mechanism the user-agent is using (OAuth2, HTTP-Signatures, or something else) and which contains a valid Actor ID. (Eg, in the case of HTTP Signatures, we retrieve the Public Key and consider its Owner as the authorized user)

If that's not possible, only Public addressed content is returned.

Secondly, I think the method of building the access control list could be detailed.

In GoActivityPub I'm using all the recipient fields (To, CC, Bto, BCC), so including the blind ones, to build the list of Actor IDs that then get checked against the authorized user from above. Also the "Audience" property can be used.

And a last thing that I'm doing in GoActivityPub, is that there's two levels of access control checks for collections:

  1. The collection object itself needs to be accessible to the authorized user.
  2. The individual items in the items/orderedItems list get filtered separately based on their own recipients ACL against the same authorized user.

In conclusion, I'm not sure if all these ideas are valid to be used on a larger scale, but some feel "common sense" enough that they might be generally applicable.

I have a couple of clarifications regarding what GoActivityPub does, that might be useful for this FEP: ### On "Updating collections" I think it's worth clarifying that `Add`, `Remove`, `Move` refer to operations on the items/orderedItems property of the collection. Perhaps also clarifying **IF** these operations should update the `updated` property of the collection, which I think they should. Additionally I think that clarifying that the other properties of the collection can/should be modified through `Update` activities using the normal ActivityPub flow. ### On Pagination I think it's worth adding the standard term used for "cursor pagination" in the technical literature, which to the best of my knowledge is "keyset pagination". ### On Access control This section can be expanded a little, I'm not sure there's any FEP's that proposes this idea already, but it can be generally applied to _all_ local objects a service exposes. The "SHOULD be filtered based on the permissions of a user" is pretty vague, so I'd clarify that the "user" is reconstituted based on whichever authorization mechanism the user-agent is using (OAuth2, HTTP-Signatures, or something else) and which contains a valid Actor ID. (Eg, in the case of HTTP Signatures, we retrieve the Public Key and consider its `Owner` as the **authorized user**) If that's not possible, only Public addressed content is returned. Secondly, I think the method of building the access control list could be detailed. In GoActivityPub I'm using all the recipient fields (To, CC, Bto, BCC), so including the blind ones, to build the list of Actor IDs that then get checked against the authorized user from above. Also the "Audience" property can be used. And a last thing that I'm doing in GoActivityPub, is that there's two levels of access control checks for collections: 1. The collection object itself needs to be accessible to the authorized user. 2. The individual items in the items/orderedItems list get filtered separately based on their own recipients ACL against the same authorized user. ___ In conclusion, I'm not sure if all these ideas are valid to be used on a larger scale, but some feel "common sense" enough that they might be generally applicable.

Thank your for opening an issue!

I think it's worth clarifying that Add, Remove, Move refer to operations on the items/orderedItems property of the collection.

I clarified this in fediverse/fep#811.

Perhaps also clarifying IF these operations should update the updated property of the collection, which I think they should.

Why? I agree that it is a good idea, but should it really be a requirement?

Additionally I think that clarifying that the other properties of the collection can/should be modified through Update activities using the normal ActivityPub flow.

This is already stated in "Updating collections" section.

I think it's worth adding the standard term used for "cursor pagination" in the technical literature, which to the best of my knowledge is "keyset pagination".

Could you provide any authoritative references? I didn't find anything in Wikipedia, and it seems that both variants are used interchangeably in blogs and software documentation, with "cursor" being slightly more popular.

On Access control
This section can be expanded a little, I'm not sure there's any FEP's that proposes this idea already, but it can be generally applied to all local objects a service exposes.

I expanded this section in fediverse/fep#811:

  • Changed SHOULD to MUST in the sentence where we discuss permission-based filtering. I probably saw SHOULD in the ActivityPub spec (section 5.2. Inbox), but now I realize that it's wrong.
  • Added a statement about access without authorization.
  • Clarified how to control access to collection itself.

Access control in general is discussed in my other FEP, Origin-based security model. I probably need to add some clarifications there as well.

Thank your for opening an issue! > I think it's worth clarifying that Add, Remove, Move refer to operations on the items/orderedItems property of the collection. I clarified this in https://codeberg.org/fediverse/fep/pulls/811. > Perhaps also clarifying IF these operations should update the updated property of the collection, which I think they should. Why? I agree that it is a good idea, but should it really be a requirement? >Additionally I think that clarifying that the other properties of the collection can/should be modified through Update activities using the normal ActivityPub flow. This is already stated in "Updating collections" section. > I think it's worth adding the standard term used for "cursor pagination" in the technical literature, which to the best of my knowledge is "keyset pagination". Could you provide any authoritative references? I didn't find anything in Wikipedia, and it seems that both variants are used interchangeably in blogs and software documentation, with "cursor" being slightly more popular. >On Access control >This section can be expanded a little, I'm not sure there's any FEP's that proposes this idea already, but it can be generally applied to all local objects a service exposes. I expanded this section in https://codeberg.org/fediverse/fep/pulls/811: - Changed SHOULD to MUST in the sentence where we discuss permission-based filtering. I probably saw SHOULD in the ActivityPub spec (section [5.2. Inbox](https://www.w3.org/TR/activitypub/#inbox)), but now I realize that it's wrong. - Added a statement about access without authorization. - Clarified how to control access to collection itself. Access control in general is discussed in my other FEP, [Origin-based security model](https://codeberg.org/fediverse/fep/src/branch/main/fep/fe34/fep-fe34.md#access-control). I probably need to add some clarifications there as well.

Why? I agree that it is a good idea, but should it really be a requirement?

I didn't mean it a "requirement" as in a MUST, but perhaps a SHOULD. And because the Collection document has been updated, its items/ordered items are part of it...

Could you provide any authoritative references

Now that I've looked I don't find any... I don't know why I believed this was the canonical name...

> Why? I agree that it is a good idea, but should it really be a requirement? I didn't mean it a "requirement" as in a MUST, but perhaps a SHOULD. And because the Collection document has been updated, its items/ordered items are part of it... > Could you provide any authoritative references Now that I've looked I don't find any... I don't know why I believed this was the canonical name...

I didn't mean it a "requirement" as in a MUST, but perhaps a SHOULD. And because the Collection document has been updated, its items/ordered items are part of it...

Added this recommendation in fediverse/fep#812

>I didn't mean it a "requirement" as in a MUST, but perhaps a SHOULD. And because the Collection document has been updated, its items/ordered items are part of it... Added this recommendation in https://codeberg.org/fediverse/fep/pulls/812
Sign in to join this conversation.
No Branch/Tag specified
main
No results found.
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
silverpill/feps#20
Reference in a new issue
silverpill/feps
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?